TEST_F(ResourceFetcherTest, Revalidate304) {
KURL url(ParsedURLString, "http://127.0.0.1:8000/foo.html");
Resource* resource = RawResource::create(url, Resource::Raw);
memoryCache()->add(resource);
ResourceResponse response;
response.setURL(url);
response.setHTTPStatusCode(304);
response.setHTTPHeaderField("etag", "1234567890");
resource->responseReceived(response, nullptr);
resource->finish();
ResourceFetcher* fetcher =
ResourceFetcher::create(ResourceFetcherTestMockFetchContext::create());
ResourceRequest resourceRequest(url);
resourceRequest.setRequestContext(WebURLRequest::RequestContextInternal);
FetchRequest fetchRequest =
FetchRequest(resourceRequest, FetchInitiatorInfo());
Platform::current()->getURLLoaderMockFactory()->registerURL(
url, WebURLResponse(), "");
Resource* newResource = RawResource::fetch(fetchRequest, fetcher);
fetcher->stopFetching();
Platform::current()->getURLLoaderMockFactory()->unregisterURL(url);
EXPECT_NE(resource, newResource);
}
// Test that the loader can allow non-whitelisted response headers for trusted CORS loads.
TEST_F(AssociatedURLLoaderTest, CrossOriginHeaderAllowResponseHeaders)
{
WebURLRequest request;
request.initialize();
KURL url = toKURL("http://www.other.com/CrossOriginHeaderAllowResponseHeaders.html");
request.setURL(url);
WebString headerNameString(WebString::fromUTF8("non-whitelisted"));
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
m_expectedResponse.addHTTPHeaderField("Access-Control-Allow-Origin", "*");
m_expectedResponse.addHTTPHeaderField(headerNameString, "foo");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.exposeAllResponseHeaders = true; // This turns off response whitelisting.
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
EXPECT_FALSE(m_actualResponse.httpHeaderField(headerNameString).isEmpty());
}
// Test an unsuccessful cross-origin load using CORS.
TEST_F(AssociatedURLLoaderTest, CrossOriginWithAccessControlFailureBadStatusCode)
{
// This is cross-origin since the frame was loaded from www.test.com.
KURL url = toKURL("http://www.other.com/CrossOriginWithAccessControlFailure.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(0);
m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
// Failure should not be reported synchronously.
EXPECT_FALSE(m_didFail);
// The loader needs to receive the response, before doing the CORS check.
serveRequests();
EXPECT_TRUE(m_didFail);
EXPECT_FALSE(m_didReceiveResponse);
}
TEST_F(ResourceFetcherTest, Vary) {
KURL url(ParsedURLString, "http://127.0.0.1:8000/foo.html");
Resource* resource = RawResource::create(url, Resource::Raw);
memoryCache()->add(resource);
ResourceResponse response;
response.setURL(url);
response.setHTTPStatusCode(200);
response.setHTTPHeaderField(HTTPNames::Cache_Control, "max-age=3600");
response.setHTTPHeaderField(HTTPNames::Vary, "*");
resource->responseReceived(response, nullptr);
resource->finish();
ASSERT_TRUE(resource->hasVaryHeader());
ResourceFetcher* fetcher =
ResourceFetcher::create(ResourceFetcherTestMockFetchContext::create());
ResourceRequest resourceRequest(url);
resourceRequest.setRequestContext(WebURLRequest::RequestContextInternal);
FetchRequest fetchRequest =
FetchRequest(resourceRequest, FetchInitiatorInfo());
Platform::current()->getURLLoaderMockFactory()->registerURL(
url, WebURLResponse(), "");
Resource* newResource = RawResource::fetch(fetchRequest, fetcher);
EXPECT_NE(resource, newResource);
newResource->loader()->cancel();
memoryCache()->remove(newResource);
Platform::current()->getURLLoaderMockFactory()->unregisterURL(url);
memoryCache()->remove(resource);
}
void didReceiveResponse(WebURLLoader* loader, const WebURLResponse& response) override
{
m_didReceiveResponse = true;
m_actualResponse = WebURLResponse(response);
EXPECT_EQ(m_expectedLoader, loader);
EXPECT_EQ(m_expectedResponse.url(), response.url());
EXPECT_EQ(m_expectedResponse.httpStatusCode(), response.httpStatusCode());
}
// Test that a cross origin redirect response with CORS headers that allow the requesting origin succeeds.
TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlSuccess)
{
KURL url = toKURL("http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html");
char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlSuccess.html"; // Cross-origin
KURL redirectURL = toKURL(redirect);
WebURLRequest request;
request.initialize();
request.setURL(url);
// Add a CORS simple header.
request.setHTTPHeaderField("accept", "application/json");
// Create a redirect response that allows the redirect to pass the access control checks.
m_expectedRedirectResponse = WebURLResponse();
m_expectedRedirectResponse.initialize();
m_expectedRedirectResponse.setMIMEType("text/html");
m_expectedRedirectResponse.setHTTPStatusCode(301);
m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
m_expectedRedirectResponse.addHTTPHeaderField("access-control-allow-origin", "*");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
m_expectedNewRequest = WebURLRequest();
m_expectedNewRequest.initialize();
m_expectedNewRequest.setURL(redirectURL);
m_expectedNewRequest.setHTTPHeaderField("accept", "application/json");
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*");
Platform::current()->unitTestSupport()->registerMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
// We should not receive a notification for the redirect.
EXPECT_FALSE(m_willSendRequest);
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
// Test that a cross origin redirect response without CORS headers fails.
TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlFailure)
{
KURL url = toKURL("http://www.test.com/RedirectCrossOriginWithAccessControlFailure.html");
char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlFailure.html"; // Cross-origin
KURL redirectURL = toKURL(redirect);
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedRedirectResponse = WebURLResponse();
m_expectedRedirectResponse.initialize();
m_expectedRedirectResponse.setMIMEType("text/html");
m_expectedRedirectResponse.setHTTPStatusCode(301);
m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
m_expectedNewRequest = WebURLRequest();
m_expectedNewRequest.initialize();
m_expectedNewRequest.setURL(redirectURL);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
// We should get a notification about access control check failure.
EXPECT_FALSE(m_willSendRequest);
EXPECT_FALSE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFail);
}
// Test a cross-origin URL redirect without Access Control set.
TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginFailure)
{
KURL url = toKURL("http://www.test.com/RedirectCrossOriginFailure.html");
char redirect[] = "http://www.other.com/RedirectCrossOriginFailure.html"; // Cross-origin
KURL redirectURL;
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedRedirectResponse = WebURLResponse();
m_expectedRedirectResponse.initialize();
m_expectedRedirectResponse.setMIMEType("text/html");
m_expectedRedirectResponse.setHTTPStatusCode(301);
m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
m_expectedNewRequest = WebURLRequest();
m_expectedNewRequest.initialize();
m_expectedNewRequest.setURL(redirectURL);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
m_expectedLoader = createAssociatedURLLoader();
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_FALSE(m_willSendRequest);
EXPECT_FALSE(m_didReceiveResponse);
EXPECT_FALSE(m_didReceiveData);
EXPECT_FALSE(m_didFinishLoading);
}
void AssociatedURLLoader::ClientAdapter::didReceiveResponse(unsigned long, const ResourceResponse& response)
{
// Try to use the original ResourceResponse if possible.
WebURLResponse validatedResponse = WrappedResourceResponse(response);
HTTPResponseHeaderValidator validator(m_options.crossOriginRequestPolicy == WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl);
if (!m_options.exposeAllResponseHeaders)
validatedResponse.visitHTTPHeaderFields(&validator);
// If there are blocked headers, copy the response so we can remove them.
const HTTPHeaderSet& blockedHeaders = validator.blockedHeaders();
if (!blockedHeaders.isEmpty()) {
validatedResponse = WebURLResponse(validatedResponse);
HTTPHeaderSet::const_iterator end = blockedHeaders.end();
for (HTTPHeaderSet::const_iterator it = blockedHeaders.begin(); it != end; ++it)
validatedResponse.clearHTTPHeaderField(*it);
}
m_client->didReceiveResponse(m_loader, validatedResponse);
}
// Test a successful same-origin URL load.
TEST_F(AssociatedURLLoaderTest, SameOriginSuccess)
{
KURL url = toKURL("http://www.test.com/SameOriginSuccess.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
m_expectedLoader = createAssociatedURLLoader();
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
// Test a successful cross-origin load.
TEST_F(AssociatedURLLoaderTest, CrossOriginSuccess)
{
// This is cross-origin since the frame was loaded from www.test.com.
KURL url = toKURL("http://www.other.com/CrossOriginSuccess.html");
WebURLRequest request;
request.initialize();
request.setURL(url);
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyAllow;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
}
bool CheckAccessControlHeaders(const char* headerName, bool exposed)
{
std::string id("http://www.other.com/CheckAccessControlExposeHeaders_");
id.append(headerName);
if (exposed)
id.append("-Exposed");
id.append(".html");
KURL url = toKURL(id);
WebURLRequest request;
request.initialize();
request.setURL(url);
WebString headerNameString(WebString::fromUTF8(headerName));
m_expectedResponse = WebURLResponse();
m_expectedResponse.initialize();
m_expectedResponse.setMIMEType("text/html");
m_expectedResponse.setHTTPStatusCode(200);
m_expectedResponse.addHTTPHeaderField("Access-Control-Allow-Origin", "*");
if (exposed)
m_expectedResponse.addHTTPHeaderField("access-control-expose-headers", headerNameString);
m_expectedResponse.addHTTPHeaderField(headerNameString, "foo");
Platform::current()->unitTestSupport()->registerMockedURL(url, m_expectedResponse, m_frameFilePath);
WebURLLoaderOptions options;
options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
m_expectedLoader = createAssociatedURLLoader(options);
EXPECT_TRUE(m_expectedLoader);
m_expectedLoader->loadAsynchronously(request, this);
serveRequests();
EXPECT_TRUE(m_didReceiveResponse);
EXPECT_TRUE(m_didReceiveData);
EXPECT_TRUE(m_didFinishLoading);
return !m_actualResponse.httpHeaderField(headerNameString).isEmpty();
}